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Abstract 

The  Test  and  Evaluation  Community  Networic 
(TECNET)  is  building  a  Multilevel  Secure  (MLS) 
system.  This  system  features  simultaneous  access 
to  classified  and  unclassified  intormadon  and  easy 
access  through  widely  available  communications 
channels.  It  provides  the  necessary  separation  of 
classification  levels,  assured  through  the  use  of 
trusted  system  design  techniques,  security 
assessments  and  evaluations.  This  system  enables 
cleared  T&E  users  to  view  and  manipulate 
classified  and  unclassified  information  resources 
either  using  a  single  terminal  interface  or  multiple 
windows  in  a  graphical  user  interface. 

TECNET  is  in  direct  partnership  with  the  National 
Security  Agency  (NSA)  to  develop  and  field  the 
MLS  TECNET  capability  in  the  near  term.  The 
centerpiece  of  this  partnership  is  a  state-of-the-art 
Concurrent  Systems  Security  Engineering  (CSSE) 
process.  In  developing  the  MLS  TECNET 
capability,  TECNET  and  NSA  are  providing 
members,  with  various  expertise  and  diverse 
backgrounds,  to  participate  in  the  CSSE  process. 
The  CSSE  process  is  founded  on  the  concepts  of 
both  Systems  Engineering  and  Concurrent 
Engineering.  Systems  En^neering  is  an 
interdisciplinary  approach  to  evolve  and  verify  an 
integrated  and  life  cycle  balanced  set  of  system 
produa  and  process  solutions  that  satisfy  customer 
needs  (ASD/ENS-MBL  STD  499B  1992). 

Concurrent  Engineering  is  design  and 
development  using  the  simultaneous,  applied 
talents  of  a  diverse  group  of  people  with  the 
appropriate  skills.  Harnessing  diverse  talents  to 
support  CSSE  requires  active  participation  by 
team  members  in  an  environment  that  both 
respects  and  encourages  diversity.  The  synergy  of 
Concurrent  Engineering  with  Systems 
Engineering  results  in  an  explosion  of  rich  design 
solution  sets,  maximizing  the  value-added  by 
TECNET  to  its  users. 


To  date,  the  results  of  the  TECNET/NSA 
partnership  are  dramatic.  The  resulting  system 
design  meets  TECNET  growth 

expectations,  addresses  existing  national  and 
Department  of  Defense  (DoD)  policies,  defines  the 
TECNET  MLS  administrative  practices,  and  is 
expected  to  be  certified  at  an  acceptable  level  of 
risk. 

TECNET  Background 

TECNET  exists  to  support  the  DoD  in  the  conduct 
of  both  developmental  and  operational  Test  and 
Evaluation.  This  support  extends  to  the  United 
States  armed  services,  defense  agencies,  the  Office 
of  the  Secretary  of  Defense  and  qualified  defense 
contractors  who  provide  T&E  support  to  the  DoD. 
TECNET  offers  full  featured  electronic  mail,  an 
extensive  bulletin  board  service,  flexible  file 
repository  systems  for  text  and  binary  file 
exchange,  integrated  facsimile  capabilities, 
extensive  database  support,  Internet  access  and 
specialized  information  services.  TECNET 
currently  serves  over  5,500  registered  users 
supporting  defense  acquisition  from  the  T&E 
perspective. 

Current  System  Configuration 

TECNET  operates  an  accredited  C2  level  system 
for  unclassified  information  from  the  Naval  Air 
Warfare  Center  -  Aircraft  Division,  Patuxent 
River,  Maryland.  This  system  is  accessible  via 
direct  dial-up  modem  lines,  the  Defense  Data 
Network  (DDN),  the  Defense  Research  and 
Engineering  Network  (DREN),  and  the  Federal 
Telephone  System  for  fte  year  2000  (FrS-2000). 
Another  accredited  C2  level  System  High 
SECRET  TECNET  capability  also  operates  from 
the  Aberdeen  Proving  Ground,  Aberdeen, 
Maryland.  This  system  is  accessible  via  the 
Defense  Secure  Network  1  (DSNET  1)  and  via 
direct  dial-up  lines  utilizing  STU-III  devices. 


It  has  been  a  TECNET  goal  since  1989  to  int^rate 
it’s  classified  and  unclassified  operations.  Such 
integration  was  perceived  as  necessary  to 
eliminate  the  costly  redundancy  of  systems  and 
data  brought  about  by  the  distinctly  separate 
systems  serving  the  same  community.  Moreover, 
user  acceptance  of  the  classified  capability  would 
be  better  served  if  all  appropriate  data  were  more 
accessible  in  context.  For  these  reasons,  TECNET 
launched  a  focused  applied  research  and 
development  effort  in  1991.  This  initiative  was 
aimed  at  better  understanding  the  dynamics  and 
economics  of  operating  an  MLS  TECNET 
capability  in  the  not  too  distant  future. 

Recent  Events 

The  initial  TECNET  MLS  research,  funded 
through  the  Defense  Acquisition  Security 
Protection  (ASP)  program,  brought  TECNET  to 
NSA.  A  natural  union  fonned  as  TECNET  and 
NSA  learned  that  many  key  objectives  were 
mutual  and  intertwined.  As  a  result  of  their  MLS 
oriented  research  program,  the  TECNET  staff 
became  increasingly  aware  that  multiple 
disciplines  would  be  necessary  to  field  an  NO.S 
capability.  At  the  same  time,  NSA  was  developing 
the  en^neering,  management,  and  documentation 
concepts  underlying  an  up-front  concurrent 
systems  en^neering  approach.  By  1993,  the 
affinity  between  TECNET’s  MLS  needs  and  the 
rapidly  maturing  NSA  CSSE  approach  became 
evident.  TECNET  clearly  ne^ed  a  multi¬ 
disciplinary  accelerated  approach  to  MLS 
development  at  the  same  time  that  NSA  was 
constructing  a  sound  CSSE  process.  A  concurrent 
systems  engineering  team  was  formed  and 
working  by  the  end  of  1993. 

The  TECNET  team  brings  several  necessary 
perspectives  to  the  table.  The  system 
administration  function,  system  security 
management  role,  system  engineering  activities, 
network  security  and  planning  responsibilities  and 
the  program  management  functions  are  fully 
represented  within  the  TECNET  team. 
Additionally,  a  tri-service  certification  team  is  in 


place  to  cany  out  the  important,  independent  task 
of  system  certification.  These  inctividuals  are 
integrated  into  the  CSSE  process.  In  this  and  other 
cases,  functional  subgroups  are  identified  for 
separate  deliberations  in  specialty  areas,  as 
required.  TECNET  is  also  seeking  full 
accreditation  through  its  management  structure  via 
the  two  star  Board  of  Operating  Directors  (BOOD) 
for  Test  and  Evaluation.  This  group  oversees  the 
TECNET  Steering  Committee,  which  is  a  multi¬ 
service  committee  responsible  for  the  management 
of  TECNET. 

Concurrent  Systems  Security 
Engineering  Team 

The  TECNET  Executive  Secretariat  and  the  NSA 
CSSE  Manager  provided  the  leadership  for  the 
MLS  TECNET  CSSE  team.  Three  primary 
objectives  were  identified  by  the  leadership  for  the 
CSSE  team  that  served  as  a  focus  for  the  group’s 
efforts  and  activities.  These  objectives  were  used 
by  the  team  to  help  drive  design  alternatives, 
analysis,  and  decisions.  A  set  of  CSSE  principles 
were  developed  to  govern  the  dynamics  of  the 
CSSE  team.  The  objectives  of  the  CSSE  team  and 
the  foundation  CSSE  principles  are  described 
below. 

Team  Objectives 

The  program  plan  for  MLS  TECNET  showed  an 
initial  operating  capability  (IOC)  of  2nd  quarter. 
Fiscal  Year  1995.  The  highest  priority  group 
objective  was  to  perform  a  certification  of  the 
MLS  TECNET  system  and  achieve  accreditation 
in  time  to  support  the  plarmed  IOC.  This  objective 
was  particularly  challenging  given  the  tri-service 
nature  of  MLS  TECNET.  The  second  objective 
was  to  analyze,  define,  and  implement  a  “system” 
security  solution.  In  this  context,  the  term 
“system”  is  being  used  to  refer  to  the  collection  of 
hardware,  software,  people,  policies,  and 
procedures  working  together  as  a  whole  under 
regulated  conditions.  This  objective  was 
especially  meaningful  because  the  team 
r^gnized  the  potential  for  the  introduction  of  a 


significant  administrative  burden  associated  with 
the  use  of  MLS  technology.  The  third  objective 
was  to  define  a  plan  for  tra  ning  from  the 
current  TECNET  system  to  *  >al  of  a  single 
MLS  host  TECNET  system  supporting  access  to 
distributed  databases. 

Team  Principles 

In  forming  the  CSSE  team,  the  TECNET 
leadership  established  a  series  of  underlying 
principles  that  would  guide  the  team’s 
interactions.  These  principles  evolved  from  the 
management  philosophies  of  the  team  leader 

These  principles  were: 

•  Each  team  member  must  recognize  that  every 
team  member  has  value 

•  Each  team  member  has  the  same  right  to 
attend,  speak,  and  contribute  at  any  team  meet¬ 
ing 

•  Each  team  member  must  share  in  a  common 
goal  and  know  the  goal 

•  Each  team  member  may  contribute  toward 
developing  the  process 

•  The  team  must  consist  of  members  with  the 
necessary  skills  (or  members  having  the  capa¬ 
bility  to  learn  the  stalls)  to  achieve  the  goal 

•  Each  team  member  must  not  repeat  anything 
that  is  said  in  confidence 

•  Each  team  member  must  be  recognized  com¬ 
mensurate  with  their  contribution 

•  Each  team  member  must  be  prepared  to 
accommodate  the  learning  characteristics  (e.g., 
rates,  style)  of  the  other  members 

•  Each  team  member  is  expected  to  maintain  an 
attitude  of  continual  learning. 

These  principles  provided  the  framework  for 
effective  team  dynamics.  For  the  CSSE  team  to 
achieve  its  full  potential,  the  team  needed  a 
strategy  for  achieving  its  goal.  This  strategy  was 
provided  by  the  CSSE  process. 


Concurrent  Systems  Security 
Engineering  Process 


The  TECNET  CSSE  team  adopted  the  NSA  CSSE 
process  to  serve  as  its  roadmap  for  progress 
through  the  development  effort.  The  team  was 
encouraged,  by  the  team  leadership,  to  refine  and 
enhance  the  process  based  on  the  experience  of 
individual  members  and  to  tailor  the  process  as 
necessary  for  applicability  to  the  MLS  TECNET 
initiative. 


Process  Description 

The  CSSE  process  applied  by  the  CSSE  team  in 
the  development  of  MLS  TECNET  is  shown  in 
ti^re  1.  The  process  shown  in  Figure  I  was 
de\ 'loped  based  on  the  concepts  presented  in 
reference  papers  1  and  2  (ASO/ENS-MIL  STD 
499B  i99l’  and  Forsbeig  and  Mooz  1991).  The 
process  wzs  refined  by  the  CSSE  team  to 
incorporate  contributions  made  by  each  member. 
This  approach  to  the  CSSE  process  development 
encouraged  personal  commirment  to  the  process 
from  every  member  of  the  CSSE  team. 
Additionally,  CSSE  process  definition  was 
enhanced  by  the  diversity  of  contributions 
received  from  area  disciplines  on  the  CSSE  team. 


Figure  1:  CSSE  Process 
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In  Figure  i,  the  leftmost  flow  ftc»n  system 
requironents  analysis  to  subsystem  specification 
represents  the  syston  to  subsystem  decomposition 
process.  At  each  stage  of  the  development 
process,  the  system  is  further  developed  and 
specified  in  a  top  down  hierarchical  fafjiion.  At 
every  level  of  design  decomposition,  the  499B 
model  of  requirements  analysis,  flmctional 
analysis/allocation,  synthesis  (physical  analysis), 
and  systems  analysis  and  control  is  applied.  At  the 
bottom  of  this  flow  the  smallest  specified  units 
(i.e.,  subsystems)  are  either  procured  or  designed 
and  fabricated  per  the  detailed  specifications.  The 
rightmost  flow  from  subsystem  verification  to 
subsystem  validation  represents  the  subsystem  to 
system  recompoation  process.  This  rightmost 
flow  indicates  that  the  subsystems  are  first  tested 
as  isolated  units  against  the  appropriate  subsystem 
specifications  (i.e.,  verification).  The  subsystems 
are  then  integrated  and  tested  for  compliance  with 
system  level  specifications.  Finally,  the  system  is 
evaluated  to  determine  its  effectiveness  in  meeting 
customer  needs  Ci  e-,  validation). 

Significant  Attributes  Of  The  Process 

There  are  a  number  of  systems  en^neering 
process  models  that  have  evc^ved  in  recent  years 
(e.g.,  waterfall  and  spiral).  The  CSSE  team  has 
identified  several  of  the  most  significant  attributes 
of  the  CSSE  process  used  by  TECNET.  These 
attributes  appear  to  be  relevant  to  any  system 
requiring  security  regardless  of  the  systems 
engineering  model  being  applied  by  the 
developers. 

The  significant  attributes  of  the  CSSE  process  are 
presented  below; 

*  Area  disciplines  participate  in  the  program 
firom  the  beginning  and  are  involved  through¬ 
out  the  development  effort 

-  Involvement  of  policy  and  doctrine 
analyst  to  provide  guidance  on  the  poli- 
des,  laws,  and  regulations  associated 
with  the  information  processed  by  the 
system 


-  Invdvonent  of  a  threat  analyst  to  pro¬ 
vide  a  spedfic  threat  profile  for  the 
system  based  on  its  intoided  ^plica¬ 
tion,  the  information  it  processes,  and 
its  geographic  location 

-  Identification  and  involvement  of  the 
Designated  Approval  Authority,  not 
directly  involved  in  day  to  day  activi¬ 
ties,  but  informed  on  system  objectives 
and  progress 

-  Empowerment  of  the  certification  offi- 
dals  (TECNET  had  tri-service  issues) 
to  comment  on  the  design  during  the 
system  engineering  process.  The  certi¬ 
fication  official  is  delegated  down  to  a 
working  level  to  allow  a  proactive 
identification  of  system  risk  beginning 
with  the  requirements  analysis  through 
subsystem  procurement  to  system  vali¬ 
dation 

-  Involvement  of  a  security  evaluator 
throughout  the  design  process  to  pro¬ 
vide  security  design  guidance  and  to 
participate  in  the  system  security  risk 
assessment 

-  Involvement  of  system  integrator  to 
provide  design  guidance  that  facilitates 
effective  system  integration.  System 
integrators  additionally  are  afforded 
the  opportunity  to  develop  a  more  in 
depth  understanding  of  system  integra¬ 
tion  requirements  by  participating  in 
the  integration  requirements  develop¬ 
ment 

-  Involvement  of  a  system  administrator 
to  provide  design  guidance  that  reduces 
the  potentially  significant  administra¬ 
tive  burden. 

•  Structured  top  down  design  approach 

•  Identification  of  design  derived  requirements 
for  every  level  of  design  detail 

-  Refinements  of  initial  customer 
requirements 

-  Applicable  policy  and  doctrine 

-  Applicable  standards 

-  Technology  constraints 

-  Risk  assessment  and  management 


•  Progressive  and  structured,  informal  desi^ 
reviews 

•  Subgroups  established  on  an  as  needed  basis 
with  specific  objectives  for  accomplishment 
and  associated  timeframes 

•  Requirements  tracking  and  design  compliance 
analysis  for  every  level  of  design  detail 

•  Detailed,  structured  design  documentation  that 
can  be  raised  by  other  similar  systems 

MLS  TECNET  is  currently  in  the  Subsystem 
Specification  Phase  of  the  CSSE  process.  While 
MLS  TECNET  has  not  fiilly  executed  the  CSSE 
process,  the  initial  results  have  been  extremely 
encouraging.  Each  of  the  CSSE  team  members 
have  realized  value  from  their  involvement  in  the 
process. 

Benefits  To  Date 

The  MLS  TECNET  effort  has  realized  the 
following  benefits  from  the  CSSE  approach: 

•  Richer  design  solution  set(s)  based  on  diver¬ 
sity  and  resulting  synergy  of  CSSE  team  par¬ 
ticipants 

•  Customer  input  and  design  validation,  during 
the  development  process,  through  structured 
CSSE  team  meetings 

•  Up  front  and  concurrent  risk  identification  in  a 
very  proactive  manner.  This  enables  the  team 
to  address  security  issues  early  in  the  process. 
Early  identification  of  vulnerabilities  allows 
for  timely,  cost  effective,  and  operationally 
viable  solutions  to  be  proposed 

•  Documentation  of  decisions  and  the  rationale 
behind  the  decisions  facilitates  the  certification 
and  accreditation  effort  and  provides  a  focus 
for  additionally  required  evaluation  effort. 

•  An  accelerated  integration  schedule 

•  Mutual  teaming  between  agencies  that  has 
made  the  acquisition  of  funding  and  skills, 
such  as  the  certification  team,  far  more  credi¬ 
ble  and  easily  accomplished 

•  Mutual  respect  among  the  team  members  that 
has  fostered  a  professional  atmosphere,  highly 
charged  with  enthusiasm.  Such  respect  could 


not  have  emerged  without  the  natural  associa¬ 
tion  of  TECNET  and  NS  A  members. 

Conclusions 

The  activities  of  the  joint  TECNET/NSA  CSSE 
team  have  grown  in  intensity  and  significance 
since  the  team’s  inception.  The  system 
administration  function,  system  security 
management  role,  system  engineering  activities, 
network  security  and  plaiming  responsibilities  and 
the  program  management  functions  are  fully 
represented  within  the  TECNET  team.  NSA 
brings  great  and  complementary  expertise  to  the 
table.  TECNET  also  has  integrated  a  tri-service 
certification  team  into  the  full  CSSE  process.  The 
natural  dynamic  between  the  operational 
experience  of  the  TECNET  members  and  the 
security  perspective  of  the  NSA  members  has 
produced  a  meaningful  outcome  at  each  stage  of 
the  CSSE  process.  It  is  this  process,  which  all 
parties  have  pledged  to  follow,  that  focuses  the 
mutual  activities  of  all  concerned.  At  each  stage  of 
this  well  defined  CSSE  process  the  level  of 
specificity  grows  as  the  options  clearly  narrow 
through  strong  consensus.  While  discussion  is 
frequently  animated  and  vivid,  the  process  places 
clear  focus  on  the  ultimate  team  dynamic.  To  date, 
the  process  has  served  as  the  glue  that  makes  the 
otherwise  highly  diversified  team  cohesive. 

The  benefits  of  this  experience  to  TECNET  have 
been  invaluable.  Left  to  its  own  devices, 
TECNET  may  have  reached  similar  conclusions, 
but  it  is  doubtful  that  many  of  the  desirable 
attributes  of  the  CSSE  process  would  have  ever 
been  fulfilled.  Moreover,  all  parties  brought  skills 
not  easily  replicated  or  even  available  in  each  of 
the  complementary  oiganizations  (i.e.,  TECNET 
and  NSA).  Finally,  joint  recognition  of  the 
soundness  of  the  CSSE  process  has  helped  forge 
the  vital  links  between  the  various  team  players. 
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Mr.  Gewge  F.  Hurlburt  serves  as  the  newly  (^pointed  Technical  Director  for  the  Test  and  Evaluation 
Corporate  Information  Management  (CIM)  initiative  within  the  Joint  Program  Office  for  Test  and 
Evaluation  (JPO(T&E)).  He  also  serves  as  the  Executive  Secretariat  for  the  Test  and  Evaluation 
Community  Network  (TECNET).  In  this  capacity,  he  works  throu^  a  designated  TECNET  deputy. 
TECNET  is  responsible  to  the  tri-service  TECNET  Steering  Committee,  winch  in  turn,  reports  to  the 
Board  of  Operating  Directors  (BoOD)  for  Test  and  Evaluation.  Mr.  Hurlburt  is  a  senior  manager 
permanently  assigned  to  the  Computer  Sciences  Directinate  of  the  Naval  Air  Warfare  Center  -  Aircraft 
Division,  Patuxent  River,  Maryland  Prior  to  his  assignment  to  TECNET  in  1990,  he  ran  the  Naval  Air 
Test  Center^  Information  Resources  Management  (IRM)  Office.  In  this  capacity,  he  successfully 
launched  a  Business  System  Planning  (BSP)  initiative  which  led  to  systematic  adoption  of  corporate 
information  engineering  methodologies.  Before  this  assignment,  he  served  as  a  senior  IRM  systems 
analyst  responsible  for  the  design^  and  implementcttion  of  lasting  comrrumd  wide  information  systems.  Mr. 
Hurlburt  numaged  the  Naval  Air  Test  Center  Jr  Technical  Information  Department  and  spent  ei^t  of  his 
seventeen  years  at  the  former  Naval  Air  Test  Center  as  a  ^cial  assistant  on  the  staff  of  the  Commander. 

Mr.  Hurlburt  is  a  former  Naval  Officer  and  possesses  a  bachelor  of  sciences  degree  from  the  University 
of  Houston.  He  is  a  1990  graduate  of  the  Naval  Air  System  Command^  Seniiv  Executive  Management 
Development  Program  (SEMDP)  and  served  a  one  year  developmental  tour  in  the  Office  of  the  SecreUnry 
of  Defense. 
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And  Electronics  Conference,  and  .  fTACTS)  ”  AFCEA  Security  Symposium, 

Parties  (UCP's)  In  The  Tactical  Air  ^^^f^f^^^^^cirical  and  Electronics  Engimers 
August  1990.  Ms.  Acevedo  is  a  member  (AFCEA),  and  National 
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National  Security  Agency 


“A//;  Bradley  B.  Hildreth  serves  as  the  Concurrent  ^sterns  Security  Engineer  Manager, 
providing  integrated  security  services  to  TECNET  withtn  the  Hational  Security  Agency.  He 
received  a  Bachelor  of  Science  in  Electrical  Engineering  from  Rensselaer  Polytechnic  Institute 
and  a  Master  of  Science  in  Applied  Behavioral  Science  from  Johns  Ht^kins  University.  He  is  a 
graduate  of  the  Johns  Hopkins  Fellowship  in  Organization  and  Community  Systems.  No 
stranger  to  the  bench  ht.  Hildreth  began  his  career  testing  integrated  circuits.  Altogether,  he 

has  lived  Irtformation  Systems  Security  for  the  past  ten  years.  His  prior  assignments  have 

included  designing  the  infrmnation  protection,  access  control,  and  data  integrity  of  a  satellite- 
based  dntn  communications  system. 

He  is  currently  deveU^ing  the  muhi-thsciplinary  information  security  consulting  capability  at 
the  National  Security  Agency.  This  ccpability  applies  the  combined  efficiencies  of  Concurrent 
Engineering,  Systems  Engineering,  Data  Capture  and  Reuse  to  provide  world-class  Information 
Systems  Security  support  -  traditionally  only  available  to  very  large  programs  -  to  small  and 
medium  sized  system  development  efforts.  ” 


